The Troubling Implications Of The Celebrity Photo Leak

To learn more about the recent celebrity photo hack, Melissa Block speaks with Matthew Green of Johns Hopkins University. They discuss how the photos might have been obtained, as well as how you can protect your own material saved to the cloud.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

MELISSA BLOCK, HOST:

Computer hackers, celebrities, nude photos. We've heard the story before but this time the implications could be more worrisome. Actress Jennifer Lawrence and model Kate Upton are the - among the latest who've been hacked. Intimate photos of dozens of celebrities - all of them women, were posted yesterday on the anonymous website 4chan. The thinking is that the hacker or hackers got into the celebrities iCloud accounts, but Apple released a statement today saying none of the cases resulted from any breach of its systems, including iCloud or Find My iPhone. We're going to talk more about this with Matthew Green. He teaches computer science at Johns Hopkins University and specializes in information security. Welcome to the program.

MATTHEW GREEN: Thank you.

BLOCK: So Matthew, Apple is saying it is outraged by this. They call it a very targeted attack on usernames, passwords and security questions. But again they say not a breach of its systems. How do you read that?

GREEN: Well, I think that word breach is a - is a kind of a technical term and here it's being used in a very specific way. The way I world read this is that they're saying there's no fundamental error or flaw in their system that's allowing people to go in and scoop out massive amounts of data. What they're saying is that the hackers in this case, if there are hackers against iCloud, what they did is they guessed passwords and they guessed security questions and they were able to compromise just these specific accounts.

BLOCK: And isn't the idea though that you should be able to - if you try passwords too many times you get locked out? I mean, that happens to me all the time, when I forget my password it tells, me sorry your time is up.

GREEN: Well, so this is actually an interesting part of the story. So, usually there is a lockout. You get three or five chances and then you're locked out and that means that even if you have a pretty bad password most people won't be able to guess your password after three or five attempts. Up until recently there was actually a bit of a bug in some of Apple's systems that allowed people to go in and guess as many times as they wanted - even run programs that would run through every possible password they could think up and see if they got one that was a match. Now it's not clear from this press release if Apple is denying that that particular bug was exploited here or if they just got very lucky in the three or five attempts that they had to make a guess.

BLOCK: There is also this issue, that this whole thing raises, which is that some of the people who were victimized here had deleted photographs on her iPhones but those photos still exist in the cloud.

GREEN: So, this is one of the hardest things. I mean, we have backups of our phone and by default when you buy an iPhone it will ask you to make a backup. When you delete things from your phone, usually you're doing that on purpose. You want it to go away. But right now the way the cloud works is it doesn't know that. It keeps copies of things as a back, for a long time potentially. That means they're vulnerable to hackers or anybody else who might want to get their hands on them.

BLOCK: So, if you're vulnerable how can you do your best to protect the data that you do have?

GREEN: Well, right now we don't have great solutions but the number one thing is pick a very good password, even if that means it's a little bit of hassle to enter it. The number two thing is, you know, be aware of what you're putting on your phone. And the number three thing - which is a bit of inconvenient, is try something called, two factor authentication. What that does is it means that Apple will send you, for example, a text message every time somebody tries to log into your account and only the person who receives that text message will be able to continue and login.

BLOCK: Matthew Green is assistant research professor at the Johns Hopkins Information Security Institute. Thanks so much for talking with us.